I write about Security, Cloud architecture and other interesting things.

May 22

Rotating IAM Access Keys with Lambda

TL;DR I wrote a Lambda function that revokes user access keys periodically to enforce rotation and mitigate risk. You can easily deploy this solution with Terraform or Serverless.

The useful but risky IAM Access Keys

Having the AWS CLI tool at hand is a great help in dealing with day to day tasks, however a static access key can stay on a developer’s machine permanently and will pose risk in the long run.

A key might be used for testing out different tools, used in temporary processes. These can stay active indefinitely in AWS, without any re-identification. The scenario is similar to having a website where the admin can stay logged in forever because the cookie never expires.

Access key ages reported on IAM dashboard

Usually these keys are copied manually and they can be left on the clipboard, in an IDE config file, in a .txt note, or elsewhere.The classic example is accidentally committing the key to a public repository as part of some code. Doesn’t matter how secure your process is, you need to take the human factor in the equation. There are many bots scanning for sensitive data of the like from public Github repositories constantly.

Rotate your keys

Because of their nature, Access Keys should be rotated at least as often as passwords, ideally as often as work sessions.

Along with following IAM best practices I found that it’s a great way to enforce rotation simply by deleting the user keys periodically.Please note these are keys of human users eg. developers manually accessing the AWS API. System keys should be rotated more carefully to avoid problems.

If the users have access to the AWS Console, this will enforce them to log in using their MFA. This creates a good habit of logging in on a secure channel and reminds about the sensitive nature of these keys.

On Monday mornings the developers will generate a fresh key pair, which only takes a minute. If an access key gets forgotten about somewhere it will only pose risk for a maximum of 5 days or less depending on your schedule.